Knowledge base
1000 FAQs, 500 tutorials and explanatory videos. Here, there are only solutions!
Disable automatic resource type detection (MIME-Type sniffing)
This guide explains how to protect your website and its visitors from malicious exploitation of MIME-type sniffing.
Introduction
- MIME-type sniffing is a technique used by web browsers to determine the content type of a resource when the MIME type provided by the server is ambiguous, missing, or incorrect.
- While it can sometimes improve user experience by making content accessible despite server misconfigurations, this feature also introduces significant security vulnerabilities:
- When a browser performs MIME-type sniffing, it may interpret a text file as an executable script, potentially allowing cross-site scripting (XSS) attacks. For example, a file intended to be treated as plain text might be interpreted as JavaScript, enabling an attacker to execute malicious code in the user's browser.
- Disabling MIME-type sniffing protects visitors from unauthorized script execution and also strengthens the overall security of your website by reducing potential attack vectors.
Disable MIME-type Sniffing
To protect users and web applications from this type of vulnerability, you can disable automatic resource type detection via the .htaccess file of your sites to instruct the browser to strictly adhere to the MIME type specified by the server without attempting to guess it.
By placing the following code in your .htaccess
file, you ensure that MIME-type sniffing is disabled as long as the mod_headers
module (which allows adding the header below) is enabled on your Apache server:
- Open the
.htaccess
file of the affected site from your FTP Manager or FTP client software. Add the following code:
<IfModule mod_headers.c> Header always set X-Content-Type-Options "nosniff" </IfModule>
- Save the
.htaccess
file.
Link to this FAQ: